Common Weakness Enumeration

CWE-94

Allowed-with-Review

Improper Control of Generation of Code ('Code Injection')

Abstraction: Base · Status: Draft

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

8272 vulnerabilities reference this CWE, most recent first.

GHSA-J7WH-2PRR-HC43

Vulnerability from github – Published: 2022-05-14 02:36 – Updated: 2022-05-14 02:36
VLAI
Details

Buffer overflow in Microsoft Windows Movie Maker (WMM) 2.1, 2.6, and 6.0 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted project file, aka "Movie Maker Memory Corruption Vulnerability."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2010-2564"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2010-08-11T18:47:00Z",
    "severity": "HIGH"
  },
  "details": "Buffer overflow in Microsoft Windows Movie Maker (WMM) 2.1, 2.6, and 6.0 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted project file, aka \"Movie Maker Memory Corruption Vulnerability.\"",
  "id": "GHSA-j7wh-2prr-hc43",
  "modified": "2022-05-14T02:36:46Z",
  "published": "2022-05-14T02:36:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-2564"
    },
    {
      "type": "WEB",
      "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-050"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12011"
    },
    {
      "type": "WEB",
      "url": "http://www.us-cert.gov/cas/techalerts/TA10-222A.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-J84G-WVVF-889F

Vulnerability from github – Published: 2022-05-17 05:50 – Updated: 2022-05-17 05:50
VLAI
Details

PHP remote file inclusion vulnerability in banned.php in Visitor Logger allows remote attackers to execute arbitrary PHP code via a URL in the VL_include_path parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2010-2146"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2010-06-03T14:30:00Z",
    "severity": "HIGH"
  },
  "details": "PHP remote file inclusion vulnerability in banned.php in Visitor Logger allows remote attackers to execute arbitrary PHP code via a URL in the VL_include_path parameter.",
  "id": "GHSA-j84g-wvvf-889f",
  "modified": "2022-05-17T05:50:36Z",
  "published": "2022-05-17T05:50:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-2146"
    },
    {
      "type": "WEB",
      "url": "http://www.exploit-db.com/exploits/12820"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/40469"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2010/1296"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-J858-XP5V-F8XX

Vulnerability from github – Published: 2021-06-02 21:42 – Updated: 2023-08-25 21:02
VLAI
Summary
Dragonfly contains remote code execution vulnerability
Details

An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "dragonfly"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-33564"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-88",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-06-01T16:59:54Z",
    "nvd_published_at": "2021-05-29T14:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the `verify_url` option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility.",
  "id": "GHSA-j858-xp5v-f8xx",
  "modified": "2023-08-25T21:02:50Z",
  "published": "2021-06-02T21:42:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33564"
    },
    {
      "type": "WEB",
      "url": "https://github.com/markevans/dragonfly/issues/513"
    },
    {
      "type": "WEB",
      "url": "https://github.com/markevans/dragonfly/commit/25399297bb457f7fcf8e3f91e85945b255b111b5"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-j858-xp5v-f8xx"
    },
    {
      "type": "WEB",
      "url": "https://github.com/markevans/dragonfly/compare/v1.3.0...v1.4.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mlr0p/CVE-2021-33564"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/dragonfly/CVE-2021-33564.yml"
    },
    {
      "type": "WEB",
      "url": "https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/master/cves/2021/CVE-2021-33564.yaml"
    },
    {
      "type": "WEB",
      "url": "https://zxsecurity.co.nz/research/argunment-injection-ruby-dragonfly"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Dragonfly contains remote code execution vulnerability"
}

GHSA-J86V-2R4W-RJJR

Vulnerability from github – Published: 2022-05-01 07:13 – Updated: 2022-05-01 07:13
VLAI
Details

Unspecified vulnerability in PowerPoint in Microsoft Office 2000, Office 2002, Office 2003, Office 2004 for Mac, and Office v.X for Mac allows user-assisted attackers to execute arbitrary code via an unspecified "crafted file," a different vulnerability than CVE-2006-3435, CVE-2006-4694, and CVE-2006-3876.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2006-3877"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2006-10-10T22:07:00Z",
    "severity": "HIGH"
  },
  "details": "Unspecified vulnerability in PowerPoint in Microsoft Office 2000, Office 2002, Office 2003, Office 2004 for Mac, and Office v.X for Mac allows user-assisted attackers to execute arbitrary code via an unspecified \"crafted file,\" a different vulnerability than CVE-2006-3435, CVE-2006-4694, and CVE-2006-3876.",
  "id": "GHSA-j86v-2r4w-rjjr",
  "modified": "2022-05-01T07:13:18Z",
  "published": "2022-05-01T07:13:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2006-3877"
    },
    {
      "type": "WEB",
      "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-058"
    },
    {
      "type": "WEB",
      "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-015"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A220"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A568"
    },
    {
      "type": "WEB",
      "url": "http://securitytracker.com/id?1017030"
    },
    {
      "type": "WEB",
      "url": "http://www.kb.cert.org/vuls/id/205948"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/29448"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/449179/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/20325"
    },
    {
      "type": "WEB",
      "url": "http://www.us-cert.gov/cas/techalerts/TA07-044A.html"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2006/3977"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-J892-G9V8-F728

Vulnerability from github – Published: 2025-11-08 00:31 – Updated: 2025-11-08 00:31
VLAI
Details

Various Ruijie Gateway EG and NBR models firmware versions 11.1(6)B9P1 < 11.9(4)B12P1 contain a code execution vulnerability in the EWEB management system that can be abused via front-end functionality. Attackers can exploit front-end code when features such as guest authentication, local server authentication, or screen mirroring are enabled to gain access or execute commands on affected devices. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-06-07 UTC.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-36870"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-07T22:15:38Z",
    "severity": "CRITICAL"
  },
  "details": "Various Ruijie Gateway EG and NBR models firmware versions 11.1(6)B9P1 \u003c 11.9(4)B12P1 contain a code execution vulnerability in the EWEB management system that can be abused via front-end functionality. Attackers can exploit front-end code when features such as guest authentication, local server authentication, or screen mirroring are enabled to gain access or execute commands on affected devices. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-06-07 UTC.",
  "id": "GHSA-j892-g9v8-f728",
  "modified": "2025-11-08T00:31:00Z",
  "published": "2025-11-08T00:31:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36870"
    },
    {
      "type": "WEB",
      "url": "https://www.cnvd.org.cn/flaw/show/CNVD-2021-09650"
    },
    {
      "type": "WEB",
      "url": "https://www.ruijie.com.cn/gy/xw-aqtg-gw/86747"
    },
    {
      "type": "WEB",
      "url": "https://www.ruijie.com.cn/gy/xw-aqtg-zw/85638"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/ruijie-networks-eg-and-nbr-series-routers-rce"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-J89G-JW24-W7M8

Vulnerability from github – Published: 2022-05-13 01:43 – Updated: 2025-04-20 03:49
VLAI
Details

An issue was discovered in Squiz Matrix before 5.3.6.1 and 5.4.x before 5.4.1.3. Authenticated users with permissions to edit design assets can cause Remote Code Execution (RCE) via a maliciously crafted time_format tag.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-14198"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-11-30T02:29:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Squiz Matrix before 5.3.6.1 and 5.4.x before 5.4.1.3. Authenticated users with permissions to edit design assets can cause Remote Code Execution (RCE) via a maliciously crafted time_format tag.",
  "id": "GHSA-j89g-jw24-w7m8",
  "modified": "2025-04-20T03:49:17Z",
  "published": "2022-05-13T01:43:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14198"
    },
    {
      "type": "WEB",
      "url": "http://devalias.net/devalias/2017/09/07/squiz-matrix-multiple-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J8CW-M86F-RXGW

Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2025-10-22 00:32
VLAI
Details

A vulnerability allowed multiple unrestricted uploads in Pulse Connect Secure before 9.1R11.4 that could lead to an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-22900"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-669",
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-27T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability allowed multiple unrestricted uploads in Pulse Connect Secure before 9.1R11.4 that could lead to an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface.",
  "id": "GHSA-j8cw-m86f-rxgw",
  "modified": "2025-10-22T00:32:13Z",
  "published": "2022-05-24T19:03:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22900"
    },
    {
      "type": "WEB",
      "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/?kA23Z000000boUWSAY"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22900"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J8FM-J268-RQ9P

Vulnerability from github – Published: 2022-05-17 04:58 – Updated: 2022-05-17 04:58
VLAI
Details

Salt (aka SaltStack) before 0.17.1 allows remote attackers to execute arbitrary YAML code via unspecified vectors. NOTE: the vendor states that this might not be a vulnerability because the YAML to be loaded has already been determined to be safe.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2013-4438"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2013-11-05T18:55:00Z",
    "severity": "HIGH"
  },
  "details": "Salt (aka SaltStack) before 0.17.1 allows remote attackers to execute arbitrary YAML code via unspecified vectors.  NOTE: the vendor states that this might not be a vulnerability because the YAML to be loaded has already been determined to be safe.",
  "id": "GHSA-j8fm-j268-rq9p",
  "modified": "2022-05-17T04:58:29Z",
  "published": "2022-05-17T04:58:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4438"
    },
    {
      "type": "WEB",
      "url": "http://docs.saltstack.com/topics/releases/0.17.1.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2013/10/18/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-J8G3-299P-WXQX

Vulnerability from github – Published: 2022-05-01 18:43 – Updated: 2022-05-01 18:43
VLAI
Details

Multiple PHP remote file inclusion vulnerabilities in Form tools 1.5.0b allow remote attackers to execute arbitrary PHP code via a URL in the g_root_dir parameter to (1) admin_page_open.php and (2) client_page_open.php in global/templates/.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2007-6464"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2007-12-20T00:46:00Z",
    "severity": "MODERATE"
  },
  "details": "Multiple PHP remote file inclusion vulnerabilities in Form tools 1.5.0b allow remote attackers to execute arbitrary PHP code via a URL in the g_root_dir parameter to (1) admin_page_open.php and (2) client_page_open.php in global/templates/.",
  "id": "GHSA-j8g3-299p-wxqx",
  "modified": "2022-05-01T18:43:15Z",
  "published": "2022-05-01T18:43:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-6464"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/4736"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/40254"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/40255"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-J8G6-5GQC-MQ36

Vulnerability from github – Published: 2025-12-09 17:19 – Updated: 2025-12-11 15:49
VLAI
Summary
Neuron MySQLSelectTool “read-only” bypass via `SELECT ... INTO OUTFILE` (file write → potential RCE)
Details

Impact

MySQLSelectTool is intended to be a read-only SQL tool (e.g., for LLM agent querying). However, validation based on the first keyword (e.g., SELECT) and a forbidden-keyword list does not block file-writing constructs such as INTO OUTFILE / INTO DUMPFILE.

As a result, an attacker who can influence the tool input (e.g., prompt injection through a public agent endpoint) may be able to write arbitrary content to files on the DB server.

If the MySQL/MariaDB account has the FILE privilege and server configuration permits writes to a useful location (e.g., a web-accessible directory), the impact can escalate to remote code execution on the application host (for example, by writing a PHP web shell).

Who is impacted: Deployments that expose an agent using MySQLSelectTool to untrusted input and run with overly-permissive DB privileges/configuration.

Patches

Not patched in: 2.8.11

Fixed in: 2.8.12

Recommended fix direction:

  • Explicitly reject queries containing: INTO, OUTFILE, DUMPFILE, LOAD_FILE, and other file/IO-related functions/clauses.

  • Prefer AST-based validation (SQL parser) over keyword checks.

  • Constrain allowed tables/columns and disallow multi-statements.

Workarounds

If you cannot upgrade immediately:

  • Remove/disable MySQLSelectTool for any agent reachable from untrusted input.

  • Ensure DB account used by the tool does not have FILE privilege.

  • Ensure secure_file_priv is set to a directory that is not web-accessible (or restrict it tightly).

  • Add a defensive query filter at the application layer rejecting INTO OUTFILE, INTO DUMPFILE, LOAD_FILE, ; (multi-statements), and suspicious comment patterns.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.8.11"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "neuron-core/neuron-ai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.8.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-67509"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-09T17:19:23Z",
    "nvd_published_at": "2025-12-10T23:15:48Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\n`MySQLSelectTool` is intended to be a read-only SQL tool (e.g., for LLM agent querying). However, validation based on the first keyword (e.g., `SELECT`) and a forbidden-keyword list does not block file-writing constructs such as `INTO OUTFILE` / `INTO DUMPFILE`.  \n\nAs a result, an attacker who can influence the tool input (e.g., prompt injection through a public agent endpoint) may be able to write arbitrary content to files on the DB server.\n\nIf the MySQL/MariaDB account has the `FILE` privilege and server configuration permits writes to a useful location (e.g., a web-accessible directory), the impact can escalate to remote code execution on the application host (for example, by writing a PHP web shell).\n\n**Who is impacted:** Deployments that expose an agent using `MySQLSelectTool` to untrusted input and run with overly-permissive DB privileges/configuration.\n\n### Patches\n\n**Not patched in:** 2.8.11  \n\n**Fixed in:** 2.8.12\n\nRecommended fix direction:\n\n- Explicitly reject queries containing: `INTO`, `OUTFILE`, `DUMPFILE`, `LOAD_FILE`, and other file/IO-related functions/clauses.\n\n- Prefer AST-based validation (SQL parser) over keyword checks.\n\n- Constrain allowed tables/columns and disallow multi-statements.\n\n### Workarounds\n\nIf you cannot upgrade immediately:\n\n- Remove/disable `MySQLSelectTool` for any agent reachable from untrusted input.\n\n- Ensure DB account used by the tool **does not** have `FILE` privilege.\n\n- Ensure `secure_file_priv` is set to a directory that is **not** web-accessible (or restrict it tightly).\n\n- Add a defensive query filter at the application layer rejecting `INTO OUTFILE`, `INTO DUMPFILE`, `LOAD_FILE`, `;` (multi-statements), and suspicious comment patterns.",
  "id": "GHSA-j8g6-5gqc-mq36",
  "modified": "2025-12-11T15:49:01Z",
  "published": "2025-12-09T17:19:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/neuron-core/neuron-ai/security/advisories/GHSA-j8g6-5gqc-mq36"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67509"
    },
    {
      "type": "WEB",
      "url": "https://github.com/neuron-core/neuron-ai/commit/72735d0ea133266cf2f5d5d195d41e9dd865289a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/neuron-core/neuron-ai"
    },
    {
      "type": "WEB",
      "url": "https://github.com/neuron-core/neuron-ai/releases/tag/2.8.12"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Neuron MySQLSelectTool \u201cread-only\u201d bypass via `SELECT ... INTO OUTFILE` (file write \u2192 potential RCE)"
}

Mitigation
Architecture and Design

Strategy: Refactoring

Refactor your program so that you do not have to dynamically generate code.

Mitigation
Architecture and Design
  • Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product.
  • Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection.
  • This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise.
  • Be careful to avoid CWE-243 and other weaknesses related to jails.
Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • To reduce the likelihood of code injection, use stringent allowlists that limit which constructs are allowed. If you are dynamically constructing code that invokes a function, then verifying that the input is alphanumeric might be insufficient. An attacker might still be able to reference a dangerous function that you did not intend to allow, such as system(), exec(), or exit().
Mitigation
Testing

Use dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.

Mitigation MIT-32
Operation

Strategy: Compilation or Build Hardening

Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).

Mitigation MIT-32
Operation

Strategy: Environment Hardening

Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).

Mitigation
Implementation

For Python programs, it is frequently encouraged to use the ast.literal_eval() function instead of eval, since it is intentionally designed to avoid executing code. However, an adversary could still cause excessive memory or stack consumption via deeply nested structures [REF-1372], so the python documentation discourages use of ast.literal_eval() on untrusted data [REF-1373].

CAPEC-242: Code Injection

An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing. This differs from code inclusion in that code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.

CAPEC-35: Leverage Executable Code in Non-Executable Files

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.